Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Network-reachable blind SQLi needs an existing high-privilege account (PR:H, AC:L); read-oriented data disclosure gives C:H with I:N/A:N, and scope stays unchanged absent evidence of cross-system impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hannan گرویتی فرم فارسی persian-gravity-forms allows Blind SQL Injection.This issue affects گرویتی فرم فارسی: from n/a through <= 3.0.2.
AnalysisAI
Blind SQL injection in the persian-gravity-forms WordPress plugin (گرویتی فرم فارسی) affects all versions up to and including 3.0.2, allowing a high-privilege authenticated attacker to inject arbitrary SQL through unsanitized input and blindly extract database contents. The flaw was reported by Patchstack and carries a CVSS 7.6 due to a changed scope and high confidentiality impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a high-privilege authenticated WordPress session (CVSS PR:H), so the attacker must already possess administrator-level or equivalently elevated access to the target site before reaching the vulnerable persian-gravity-forms code path; this is the primary factor limiting real-world exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, low-complexity attack requiring high privileges and no user interaction, with a scope change and high confidentiality impact - a base score of 7.6 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a high-privilege WordPress account - for example via credential theft, phishing of an administrator, or session hijacking - submits crafted input to the vulnerable plugin parameter, causing boolean- or time-based blind SQL injection. By iterating inference queries, they exfiltrate sensitive database contents such as password hashes, secret keys, and user PII. … |
| Remediation | No vendor-released patch version was identified in the provided data, so the exact fixed release is not confirmed - consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/persian-gravity-forms/vulnerability/wordpress-ro-t-frm-f-rs-plugin-3-0-2-sql-injection-vulnerability?_s_id=cve) for any release after 3.0.2 and upgrade to it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress installations to identify those running Persian Gravity Forms and document installed versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43435